The API Insecurity Challenge

Application Programming Interfaces (APIs) have become ubiquitous in IT. There are now more than 400 billion API calls per month. They enable applications to interact and systems to connect with external services.  

Think about the many layers of the networking stack. It begins with the physical layer and then there are additional layers dealing with different aspects of computing and interaction. Above them all are the APIs. They usually harness the HTTPS protocol to communicate or relay requests and responses. Thus, APIs are the glue that bring software elements together. In the cloud, they connect the client and the provider.  

But popularity usually creates other problems. Nobody bothered much with malware for Apple platforms until the company rose to dominance in the 2000s. Until then, almost all viruses were squarely aimed at Windows as it accounted for an overwhelming majority of all PCs and laptops. Once you reach a certain size or level of market penetration, though, cybercriminals are likely to take notice. In the case of APIs, getting close to half a trillion calls a month certainly warrants attention.  

The State of API Security  

API security has not been a topic of lengthy conversation until recently. APIs were thought of as something happening in the background – a relatively minor aspect of overall IT infrastructure. Due to their lack of stature, they haven’t received the attention they deserve from developers with regard to overall security.  

In some ways, this isn’t too dissimilar to the way applications were developed. Until quite recently, developers created their apps and then security features or patches were added after the fact. It has only been in the last few years with rampant data breaches and ransomware that we have seen the appearance of DevSecOps and other movements that aim to make applications more secure from the very early stages of their creation. The goal is to bake in security rather than cobble it on at a later point once use in the real world exposes its vulnerabilities.  

APIs have been late to the party. They have been somewhat neglected as a potential weak point in organizational defenses. And the bad guys are onto it.  

APIs, after all, are what expose services to the outside world. And they can be compromised. Common problems include vulnerabilities within the APIs themselves, misconfiguration issues, lax access controls that allow APIs to share too much information, personally identifiable information (PII) being exposed via APIs, and in general, not getting APIs enough attention from security tools. No wonder hackers have learned different ways they can use to exploit insecure APIs as a means of compromising systems or stealing data.  


Safeguarding APIs  

There are several steps that organizations should take to safeguard the APIs they utilize:  

  1. Add API security best practices to internal development efforts so you don’t perpetuate the API insecurity challenge.  
  2. Inventory all APIs in use: Due to the prevalence of APIs in just about every aspect of IT operations, few organizations have a good idea of the many ways their applications are touched by APIs. What is needed is a complete API inventory. Only by possessing such an inventory does it becomes possible to spot misconfigured, insecure, or unprotected APIs.  
  3. Reveal how access controls interact with APIs to determine whether they reveal too much information by inspecting API gateways and the micro-services involved.  
  4. Ensure APIs are configured to prevent exposure of PII and to prevent violations of the many privacy regulations that apply.  
  5. Monitor how APIs are consumed to detect abnormal behavior or potential abuse.  
  6. Adopt sensible safeguards to keep the organization secure such as mobile device management, patch management, and vulnerability management.  

Syxsense Enterprise delivers real-time vulnerability monitoring and instant remediation for every single endpoint in your environment, as well as IT management across all endpoints. This represents the future of threat prevention as it brings everything needed for endpoint management and protection onto one console. Breaches can be detected and remediated within a single solution. Unusual activities originating from API insecurity can be spotted quickly and dealt with. The Syxsense platform can scan for all vulnerabilities on any device, block communication from an infected device to the internet, isolate endpoints, and kill malicious processes before they spread. It can automatically prioritize and deploy OS and third-party patches to all major operating systems, as well as Windows 10 feature updates. IT and security teams can use Syxsense Enterprise to collaborate on the detection and closing of attack vectors. It offers management, control, and security for any and all desktops, laptops, servers, virtual machines, and mobile devices. 

For more information, visit